[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 894
  • Last Modified:

Remote Desktop Services, VPN and secure connection(s)

We are testing windows 2008 remote app services. We have 2 needs.  First, remote offices need access to a SQL application that can only run on the HQ lan so we are planning on utilizing remote app.  Second, remote offices also need access to network files to be able to open on their local machine.  

We started testing with using the same box for VPN and RDS.  The idea is that the users connect via VPN so that they can access network files locally by mapping the network share. Then to access the HQ application they use remote app.  The W8K box sits behind the firewall with VPN ports forwarded. So far we have it set up so the the remote app only is accessible when a VPN connection exists. Because we don't have two form factor authentication VPN port access on the firewall is locked down to users IP addresses.  This controls what locations can use VPN and since the remote app only connects using a LAN machine name this control access to the application. Does this sound like the best method to address both issues?


I have read that using the TS Gateway that RDP sessions can be secured communications channel because traffic is encrypted over HTTPS (443).  If I block 3389 on the firewall then the users cannot connect.  Is this only a feature that works in conjunction with TSWEB?  When a user connects using RDP (either through the VPN or without VPN) I see no 443 traffic.  It would be nice to be able to create RDP sessions for remote apps without having to crate a VPN connection.  How can a be assured the traffic is being encrypted?  I have used TCPView and Etherreal to view the traffic and I don't see 443 traffic using the RDP to connect directly to the TS server.  

Can a user access a network files over RDP and open the file using their local application or will we need VPN for that?
0
PlazaProp
Asked:
PlazaProp
2 Solutions
 
RobMobilityCommented:
Hi,

If you re-direct local drives, you can open local files with the Remote App.

You can force additional protection of the RDP session by enabling TLS, NLA and FIPS encryption - this would then be encapsulated to the TS Gateway - comms between the TS Gateway and the RD Server are over 3389.

I believe that the TS GAteway settings need to be configred before the remote app installer is generated - make sure that the TS Gateway is specified and that bypass isn;t enabled.

Regards,


RobMobility.
0
 
akhalighiCommented:
I wouldn't expose companies internal application or files to Internet even through HTTPS . I think VPN is the security that you need.  As for TS web , I think it works along with usual RDP ; it just makes it easier for people to click on an application but still it launches RDP to connect , so that it will need VPN to access local resources.

see this one :
http://social.technet.microsoft.com/Forums/en-US/winserverTS/thread/bcc759bf-ac45-4ad6-bd63-ad5635b26884/

and this one :
http://social.technet.microsoft.com/Forums/en/winserverTS/thread/51937b87-b1fc-4028-aa1d-c6bc4955ebd2
0
 
PlazaPropAuthor Commented:
RobMobility,  As for accessing the files it is the other way around from what you have descirbed.  We need to re-direct remote (HQ) drives so that users can use local apps. Ex.  Opening a spreadsheet that is on the HQ network.

Can I use the TS Gateway to be able to connect to another workstation via RDP without having to RDP to the TS first (without using TS Web or VPN)?  I thought I read that I could do this via TS Gateway.  

Example: remote office --->> internet --->> HQ firewall --->> workstation
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
PlazaPropAuthor Commented:
Ok, asked too soon. I found where to put the TS Gateway settings in RDC (see below).  Now, Can I specify a different port number other then 3389 for the TS Gateway?




1.   Open the Remote Desktop Connection client. To open the Remote Desktop Connection client, click Start, point to All Programs, point to Accessories, and then click Remote Desktop Connection.

2.   In the Remote Desktop Connection dialog box, click Options to expand the dialog box and view settings.

3.   On the Advanced tab, in the Connect from anywhere area, click Settings.

4.   In the Gateway Server Settings dialog box, select the appropriate options:

·        Use these TS Gateway server settings. You select this option and specify the name of the TS Gateway server that you want to connect to and the logon method to use for the connection. Note that when you specify a name for the TS Gateway server, you must use a fully qualified domain name (FQDN). as "MyTSGatewayServername.MyCompany.com" but without the https://www. prefix infront..

·      Bypass TS Gateway server for local addresses. This option is selected by default.  Please uncheck this checkbox.

5.   Click OK.
0
 
PlazaPropAuthor Commented:
RobMobility,

In the past we have avoided mapping the client drive over RDP for security reasons.  Plus transferring a file via RDP is slow.  I haven't bench marked file transfer  RDP vs. VPN yet.
0
 
oneitnzCommented:
Hi PlazaProp.

I think you are worrying way to much about security you don't get any more secure than a connection over port 443.

If I were you I would setup the TS Gateway and you just need to forward port 443 from your firewall to it, you no longer need port 3389 open to the internet.

The TS Gateway acts as a RDP Proxy as such and all transfers from the client are encrypted over the internet, it then forwards traffic to the RD Session Host using port 3389.

You have already found where to configure the Gateway Details in the Remote Desktop Client which is exactly what you need to do. Then you can simply enter any Internal Computer name on the General  Tab and it will connect to the internal computer.

As for accessing the local drives of the server over the internet I'm afraid the only secure way is with a VPN. You have two options either a IPSEC Tunnel between 2 VPN Firewalls or PPTP or SSL VPN connections on every client computer.

Your other option is to just let the remote users perform everything on the terminal server and do away with local computing altogether, my preferred solution.

Hope this all helps.
Brett Smith
One IT - Remote Desktop Specialists
0
 
PlazaPropAuthor Commented:
oneitnz,  Thanks for the reply.  concise and to the point.

So to use port 443 do we have to use TSWeb?

Does putting the gateway information in the RDC client force the client to use port 443 or is it still using 3389 and just bypassing logging directly in to the TS.

The only problem with doing everything on the terminal server (for us) is that then we would have to buy new licenses for MS Office (the retail version of MS Office 2010 will not install on a TS, apparently a special version i needed, plus we have a mix of 2003 and 2010),  management denied funding for new Office for TS. I have suggested Open Office but our users are too hooked in to MS Office and our accounting dept needs Excel because of a special accounting add-on.  

There are multiple solutions for this issue but I have to do it as low cost as possible (ie. do more with less, the story of the century).  So bells and whistles are out the door (ie. no sharepoint, document management system, etc.)
0
 
oneitnzCommented:
Hi PlazaProp
Just to confirm once you have tested and confirmed that you can connect via the RD Gateway server you will no longer need to have port 3389 open on the firewall to the outside, all traffic will be proxied over port 443.

No you don't need to use the TSWeb that is just installed along with it, I'm not sure if you could just stop the IIS Site so that people couldn't reach your TSWeb site if thats what your wondering. I believe this would probably stop it listening on port 443 and stop the gateway working altogether.

I am curious to know if your running Exchange 2007 either on a SBS 08 box or standalone because I've just discovered this awesome little hidden gem which allows you to access file shares through OWA.

Can't find a proper Microsoft Article on it but this guys written a decent setup guide.
http://www.bunkerhollow.com/blogs/matt/archive/2007/12/21/file-sharing-with-exchange-2007-outlook-web-access.aspx 

That will solve all your problems without needing a VPN.
0
 
PlazaPropAuthor Commented:
oneitnz,

I figured that disabling TSWeb (IIS)  would stop communications over port 443 since port 443 is https.

We are not running exchange at all.  But thanks for the link, very interesting if we decide to implement exchange.

I get that RDP will be proxied over port 443 if using TSWEB, but is there a way to directly tell the RDP Client to use port 443 (or another port) for the TS Gateway?

I have tried to specify the port number in the TS Gateway settings in the client but I get an error.  I am guessing that the TSGateway defaults to port 3389, no matter what.  anyone agree with that statement?
0
 
oneitnzCommented:
Hi Plaza
TS Gateway actually already defaults to port 443, here is a screenshot of the Remote Desktop Client. You need to open Options then go to the Advanced Tab and Click Settings under connect from anywhere.
Just enter the External DNS name of the TSWeb/RD Gateway server in the box and then on the General Tab enter the Internal Computers Name.

Regards
Brett

Remote Desktop Gateway Settings
0

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now